Web Flaws and Vulnerabilities

WPS Hide Login v1.5.2.2 Multiples Vulnerabilities

Blog Web Flaws and Vulnerabilities WPS Hide Login v1.5.2.2 Multiples Vulnerabilities
0 comments

WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is low.

Protection ByPass #1

File : /classes/plugins.php

Lines : 427 

if ( isset( $request['query'] ) && strpos( $request['query'], 'action=confirmaction' ) !== false ) {

    @require_once ABSPATH . 'wp-login.php';

}

Issue : If the URL contains “action=confirmaction” it’s enough to acces the login page. 

Demo : https://example.com/wp-login.php?SECUPRESSaction=confirmaction

Protection ByPass #2

File : /classes/plugins.php

Lines : 477-480

if ( is_admin() && ! is_user_logged_in() && ! defined( 'DOING_AJAX' ) && $pagenow !== 'admin-post.php' && ( isset( $_GET ) && empty( $_GET['adminhash'] ) && $request['path'] !== '/wp-admin/options.php' ) ) {

wp_safe_redirect( $this->new_redirect_url() );

die();

}

Issue : Reading the code, you can see that if the param “adminhash” is present in the l’URL, you’ll have the right to access the login page.

Demo : https://exemple.com/wp-admin/?adminhash=1 

Protection ByPass #3

File : /classes/plugin.php

Lines : 653-656

if ( ! empty( $_GET ) && isset( $_GET['action'] ) && 'rp' === $_GET['action'] && isset( $_GET['key'] ) && isset( $_GET['login'] ) ) {

wp_redirect( $this->new_login_url() );

exit();

}

Issue : This code is active if your have WooCommerce activated (+60% of WP e-commerce).

Demo : https://example.com?action=rp&key&login 

Protection ByPass #4

File : /classes/plugin.php

Lines : 563

if ( strpos( $url, 'wp-login.php' ) !== false ) {

Issue : Still we check the presence os a string in the URL (referer) to give the right to access to the login page.

Demo : You have to modify the header “Referer” and just add “wp-login.php”. Now send an empty POST request on”https://example.com/wp-login.php?action=postpass“.

The WordPress core will do this:

if ( ! array_key_exists( 'post_password', $_POST ) ) {

wp_safe_redirect( wp_get_referer() );

exit();

}

So, our referer will be read, then pass through our hook and since “wp-login.php” is present, we will be redirected on the login page.

Default Parameter Usage

File : /classes/plugin.php

Issue : If a default value is used, we know that the default is “login”, so if I can’t access to your login page, I’ll try “/login” first. Also, /login is already a shortcut in WordPress, so it’s not really changed, bots already know that one.

Full Path Disclosure

File : /classes/plugin.php

Lines : 498

&& ( $result = wpmu_activate_signup( $referer['key'] ) )

Issue : If we trigger the hook “wps_hide_login_signup_enable” with the correct URL we will get a Fatal Error because the function wpmu_activate_signup() is not declared yet, there is a lack of file inclusion. The displayed error discloses the path information.

These vulnerabilities has been patched in v1.5.3

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

0 comments